modules/keying/keying_test.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

// Copyright 2024 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package keying_test

import (
	"math"
	"testing"

	"code.gitea.io/gitea/modules/keying"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"golang.org/x/crypto/chacha20poly1305"
)

func TestKeying(t *testing.T) {
	t.Run("Not initalized", func(t *testing.T) {
		assert.Panics(t, func() {
			keying.DeriveKey(keying.Context("TESTING"))
		})
	})

	t.Run("Initialization", func(t *testing.T) {
		keying.Init([]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07})
	})

	t.Run("Context seperation", func(t *testing.T) {
		key1 := keying.DeriveKey(keying.Context("TESTING"))
		key2 := keying.DeriveKey(keying.Context("TESTING2"))

		ciphertext := key1.Encrypt([]byte("This is for context TESTING"), nil)

		plaintext, err := key2.Decrypt(ciphertext, nil)
		require.Error(t, err)
		assert.Empty(t, plaintext)

		plaintext, err = key1.Decrypt(ciphertext, nil)
		require.NoError(t, err)
		assert.EqualValues(t, "This is for context TESTING", plaintext)
	})

	context := keying.Context("TESTING PURPOSES")
	plainText := []byte("Forgejo is run by [Redacted]")
	var cipherText []byte
	t.Run("Encrypt", func(t *testing.T) {
		key := keying.DeriveKey(context)

		cipherText = key.Encrypt(plainText, []byte{0x05, 0x06})
		cipherText2 := key.Encrypt(plainText, []byte{0x05, 0x06})

		// Ensure ciphertexts don't have an determistic output.
		assert.NotEqualValues(t, cipherText, cipherText2)
	})

	t.Run("Decrypt", func(t *testing.T) {
		key := keying.DeriveKey(context)

		t.Run("Succesful", func(t *testing.T) {
			convertedPlainText, err := key.Decrypt(cipherText, []byte{0x05, 0x06})
			require.NoError(t, err)
			assert.EqualValues(t, plainText, convertedPlainText)
		})

		t.Run("Not enougn additional data", func(t *testing.T) {
			plainText, err := key.Decrypt(cipherText, []byte{0x05})
			require.Error(t, err)
			assert.Empty(t, plainText)
		})

		t.Run("Too much additional data", func(t *testing.T) {
			plainText, err := key.Decrypt(cipherText, []byte{0x05, 0x06, 0x07})
			require.Error(t, err)
			assert.Empty(t, plainText)
		})

		t.Run("Incorrect nonce", func(t *testing.T) {
			// Flip the first byte of the nonce.
			cipherText[0] = ^cipherText[0]

			plainText, err := key.Decrypt(cipherText, []byte{0x05, 0x06})
			require.Error(t, err)
			assert.Empty(t, plainText)
		})

		t.Run("Incorrect ciphertext", func(t *testing.T) {
			assert.Panics(t, func() {
				key.Decrypt(nil, nil)
			})

			assert.Panics(t, func() {
				cipherText := make([]byte, chacha20poly1305.NonceSizeX)
				key.Decrypt(cipherText, nil)
			})
		})
	})
}

func TestKeyingColumnAndID(t *testing.T) {
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table", math.MinInt64))
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table", -1))
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table", 0))
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, keying.ColumnAndID("table", 1))
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table", math.MaxInt64))

	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table2", math.MinInt64))
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table2", -1))
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table2", 0))
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, keying.ColumnAndID("table2", 1))
	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table2", math.MaxInt64))
}